What is SARIF?
SARIF, or Static Analysis Results Interchange Format, is a standardized schema adopted by static analysis tools to structure the output of their code evaluations. Predicated on static code analysis principles, these tools inspect the source code without execution, to uncover potential bugs, anti-patterns, and security vulnerabilities.
Developed by the OASIS SARIF Technical Committee, SARIF's key utility lies in its ability to create an interoperable environment among various static analysis tools. This allows the structured output from different tools to be universally understood and processed by other software components such as Integrated Development Environments (IDEs) or Continuous Integration/Continuous Deployment (CI/CD) systems, irrespective of the tool that originally generated the results.
SARIF is defined by a rigorous specification that dictates how static analysis results should be structured, making it easier to consolidate, manage, and visualize these results in a consistent and standardized manner. The specification also includes provisions for more advanced features such as code flow visualization and multi-tool analysis.
Despite SARIF being primarily designed as a reporting format for Static Analysis tools, several Dynamic Analysis tools have also adopted it for reporting their findings. However, the specific data points captured by Dynamic Analysis tools may vary due to the nature of dynamic analysis, which necessitates program execution.